macOS users who have downloaded Elmedia Player from the developer's website may have installed a trojanized copy of the media player. Security researchers revealed last night thatEltima has been "distributing a version of their application trojanized with theOSX/Protonmalware on their official website." The company has claimed to have suffered a security breach.

The incident may remind some of the CCleanerepisode last month that inadvertently put security of millions at risk when a malicious copy of the utility was being distributed via Avast's own servers. The company had reported a security breach, as well, and the following investigation revealed that the malicious payload was designed for industrial espionage with a hitlist containing Google and Intel.

As for the latest incident, researchers at ESET reported the problem to Eltima, the maker of Elmedia Player, that their site was distributing OSX/Proton malwarethrough their software. Eltima cleaned up its website at 3:10pm EDT on October 19, and the site is now serving legitimateapplications. The security firm says that the company was"very responsive and maintained an excellent communication with us throughout the incident."

How to see if you are affected by this data stealing Proton RAT

Since the timeline of the attack is unknown at the moment, it is unclear how many users may have been affected. The media player boasts over a million downloads. If you are a user, ESET has suggested to look for these files and directories to verify if you have been compromised.

/tmp/Updater.app/

/Library/LaunchAgents/com.Eltima.UpdaterAgent.plist

/Library/.rand/

/Library/.rand/updateragent.app/

If any of these exists, it means the that OSX/Proton is most likely running on your system. Security experts have advised a complete macOS reinstall as that isthe "only sure way to get rid of the malware."

OSX/Proton is a Remote Access Trojan designed to steal data from macOS users and stay persistent on the target system. From operating system details to browser history and macOS keychain data, the trojan is capable to stealing all the sensitive information stored on your computer. Here's the full list revealed by ESET.

Operating system details: hardware serial number (IOPlatformSerialNumber), full name of the current user, hostname, System Integrity Protection status (csrutil status), gateway information (route -n get default | awk ‘/gateway/ { print $2 }’), current time & timezoneBrowser information from Chrome, Safari, Opera and Firefox: history, cookies, bookmarks, login data, etc.Cryptocurrency wallets:Electrum: ~/.electrum/walletsBitcoin Core: ~/Library/Application Support/Bitcoin/wallet.datArmory: ~/Library/Application Support/ArmorySSH private data (entire .ssh content)macOS keychain data using a modified version ofchainbreakerTunnelblick VPN configuration (~/Library/Application Support/Tunnelblick/Configurations)GnuPG data (~/.gnupg)1Password data (~/Library/Application Support/1Password 4 and ~/Library/Application Support/1Password 3.9)List of all installed applications

Researchers have added in their report that "victims should also assume at least all the secrets outlined" above are "compromised and take appropriate measures to invalidate them." The distribution of this malicious copy has now been stopped.

Attackers can further use Proton to download and execute new malware on infected systems, so a macOS reinstall is strongly advised to users who have downloaded a copy from Eltima's website.